System Access and Security Policy
Revisions: 7/25/2014 (Division title change); 06/08/2011
The System Access and Security Policy is official Division of Information Technology (DoIT) policy with regard to computer systems and network access for all users of technology within the NIU organization.
Users and departments requesting access to university enterprise systems and data resources agree to follow accepted and prudent practices regarding computer security. The following policies should guide user and departmental practices and procedures:
University data and information stored on university enterprise systems is considered confidential. Access to university information involves both trust and responsibility. Users must ensure that private and sensitive information is not disclosed to unauthorized individuals or organizations who do not have a legitimate reason for access to the information.
Requests for the disclosure of confidential information outside the university will be governed by the provisions of law, including but not limited to the Family Educational Rights and Privacy Act of 1974 as amended in 1998 ("FERPA"), the Illinois School Student Records Act, the Illinois Freedom of Information Act, as well as applicable university policies regarding information security. All such requests will be honored only when approved by university officials who are the legal custodians of the information requested, or if required by state or federal law or court order.
Computer systems are provided to users to perform university business. Denial of service caused by the installation of unauthorized software that compromises an individual or network system, or virus infections that corrupt or delete system software or data is a serious threat to university operations. Users shall refrain from practices that tend to compromise the availability of computer systems or resources.
Accuracy and Integrity
Accuracy and integrity are essential elements in the use, storage and retrieval of electronic data. The use and/or exchange of data must be done with adequate controls to ensure integrity and verifiable results. Authenticity requires that data is not corrupted or altered in such a way that would misrepresent or hinder auditability.
- Follow good security practices as outlined in this security policy as well as supplemental departmental security policies and procedures.
- Maintain and use computer workstations in accordance with this Security Policy, the NIU Acceptable Use Policy (AUP) and applicable supplemental departmental security policies and procedures.
- Report known violations of this security policy, the AUP and/or supplemental departmental security policies to management.
- Only request access to official files and records necessary to perform duties as defined by the user's position description.
- Remote access to ERP or critical infrastructure systems must be accomplished via an NIU virtual private network connection (VPN); https:, or other similar secure method.
- Confidential data and information may be transferred among university staff only as required for fulfilling assigned duties and responsibilities.
- Do not attempt to access data or programs on enterprise systems for which the user does not have authorization or explicit consent of the owner of the data.
- Do not reproduce, edit, revise or otherwise alter data and information except as required for legitimate university reporting purposes.
- Do not make copies of system configuration files (e.g., password files, cache files, registry entries, .ini files, .cfg files, etc.) for unauthorized personal use or to provide to other people/users for unauthorized uses.
- Do not purposely engage in activity with the intent to do any of the following: harass other users; degrade the performance of systems; deprive an authorized user of access to a university resource; obtain extra resources beyond those allocated; circumvent computer security measures; or gain access to enterprise systems for which proper authorization has not been given.
- Do not disclose or share a user login id and password with others except as required for system maintenance purposes or for purposes of promptly changing a password as appropriate.
- Do not download, install or run security programs or utilities which reveal weaknesses in the security of a system except as specifically required by the user's position. For example, only users whose position requires it may run or "test" password cracking programs or network sniffers on university computing systems.
- Refrain from installing personal or third party applications or devices not related to a user's job function that may compromise access to university enterprise systems.
- Do not seek personal benefit or permit others to benefit by disclosing or otherwise using confidential data or information which has come to him/her by virtue of work assignment.
- Do not use university computing resources for private, commercial gain.
Supervisor and Departmental Responsibilities
- Ensure that only authorized users have access to university data for appropriate departmental and university business purposes.
- Ensure that official files, reports, and data accurately reflect university operations and transactions.
- Ensure that user id's and passwords are not shared and that appropriate access and usage policies are maintained and enforced.
- Be subject to periodic audits of departmental practices and procedures regarding access to enterprise computer resources.
- Notify DoIT Security and/or local area network administrator of any change in a user's job function or employment that would require changes be made to the user's access at least five business day before such a status change. Managers must specify both access to be added or revoked as appropriate for job changes.
- Request that accounts or passwords for individuals who no longer require access to network resources be deactivated within 24 hours of user's change in status.
- Set up and configure university owned computer workstations in accordance with this security policy and supplemental departmental security policies and procedures.
- Ensure that DoIT certified virus protection software is properly installed and functioning on computer workstations.
- Ensure that staff is adequately trained in basic Windows usage and navigation skills and that users have had appropriate training in applicable software packages.
Consequences of Noncompliance
Noncompliance with these guidelines constitutes a violation of security policy. Violations shall be reported to the proper university officials and will result in short-term or permanent loss of access to enterprise computing systems. Violators are also subject to university disciplinary procedures. Serious violations may be referred to state and/or federal law enforcement officials and may result in civil or criminal prosecution. In the event that it is necessary to suspend an existing user's account for security or disciplinary reasons, the account will not be reinstated until or unless the user is witnessed to have read the SASP and signs a Statement of Responsibility for retention by DoIT Security.